feat: 新增预算后端服务与差旅风险规则库

后端新增预算模型、端点和服务模块，支持预算 CRUD 和余额
查询，清理旧生成规则文件并替换为按严重等级分类的差旅风
险规则库，优化认证权限和报销单访问策略，新增财务规则目
录和演示数据构建脚本，前端预算中心增加对话框交互，完善
审计页面运行时模型和元数据展示，补充单元测试。

web/src/utils/accessControl.js

@@ -13,44 +13,82 @@ export const DEFAULT_APP_VIEW_ORDER = [
 const ALWAYS_VISIBLE_VIEWS = new Set(['workbench', 'documents', 'policies'])
 const VIEW_ROLE_RULES = {
   overview: ['finance', 'executive'],
-  budget: ['finance', 'executive'],
-  audit: ['auditor', 'finance'],
-  logs: ['manager'],
-  employees: ['manager'],
-  settings: ['manager']
-}
+  budget: ['budget_monitor', 'executive'],
+  audit: ['finance'],
+  logs: ['manager'],
+  employees: ['manager'],
+  settings: ['manager']
+}
 const CLAIM_MANAGER_ROLE_CODES = new Set(['executive'])
 const CLAIM_RETURN_ROLE_CODES = new Set(['finance', 'executive', 'manager', 'approver'])
 const CLAIM_LEADER_APPROVAL_ROLE_CODES = new Set(['manager', 'approver'])
 
-function normalizedRoleCodes(user) {
-  if (!user) {
-    return []
-  }
-
-  return Array.isArray(user.roleCodes)
-    ? user.roleCodes.map((item) => String(item || '').trim().toLowerCase()).filter(Boolean)
-    : []
-}
-
+function normalizedRoleCodes(user) {
+  if (!user) {
+    return []
+  }
+
+  return Array.isArray(user.roleCodes)
+    ? user.roleCodes
+        .map((item) => normalizeRoleCode(item))
+        .filter(Boolean)
+    : []
+}
+
+function normalizeRoleCode(value) {
+  const roleCode = String(value || '').trim().toLowerCase()
+  return roleCode === 'auditor' ? 'budget_monitor' : roleCode
+}
+
+function hasPlatformAdminIdentity(user) {
+  if (!user) {
+    return false
+  }
+
+  const username = String(user.username || user.account || '').trim().toLowerCase()
+  const role = String(user.role || '').trim().toLowerCase()
+  const roleCodes = normalizedRoleCodes(user)
+
+  return (
+    Boolean(user.isAdmin)
+    || username === 'admin'
+    || role === 'admin'
+    || role === '管理员'
+    || role === '系统管理员'
+    || roleCodes.includes('admin')
+  )
+}
+
 export function isManagerUser(user) {
-  return Boolean(user?.isAdmin) || normalizedRoleCodes(user).includes('manager')
+  return hasPlatformAdminIdentity(user) || normalizedRoleCodes(user).includes('manager')
 }
 
 export function isPlatformAdminUser(user) {
-  return Boolean(user?.isAdmin)
+  return hasPlatformAdminIdentity(user)
 }
 
 export function isFinanceUser(user) {
   return normalizedRoleCodes(user).includes('finance')
 }
 
-export function isExecutiveUser(user) {
-  return normalizedRoleCodes(user).includes('executive')
-}
-
+export function isExecutiveUser(user) {
+  return normalizedRoleCodes(user).includes('executive')
+}
+
+export function isBudgetMonitorUser(user) {
+  return normalizedRoleCodes(user).includes('budget_monitor')
+}
+
+export function canEditBudgetCenter(user) {
+  return isPlatformAdminUser(user) || isExecutiveUser(user)
+}
+
+export function canSwitchBudgetDepartments(user) {
+  return isPlatformAdminUser(user) || isExecutiveUser(user)
+}
+
 export function canManageExpenseClaims(user) {
-  if (Boolean(user?.isAdmin)) {
+  if (isPlatformAdminUser(user)) {
     return true
   }
 
@@ -58,21 +96,21 @@ export function canManageExpenseClaims(user) {
 }
 
 export function canDeleteArchivedExpenseClaims(user) {
-  return Boolean(user?.isAdmin)
+  return isPlatformAdminUser(user)
 }
 
 export function canReturnExpenseClaims(user) {
-  if (Boolean(user?.isAdmin)) {
+  if (isPlatformAdminUser(user)) {
     return true
   }
 
   return normalizedRoleCodes(user).some((roleCode) => CLAIM_RETURN_ROLE_CODES.has(roleCode))
 }
 
-export function canApproveLeaderExpenseClaims(user) {
-  if (Boolean(user?.isAdmin)) {
-    return true
-  }
+export function canApproveLeaderExpenseClaims(user) {
+  if (isPlatformAdminUser(user)) {
+    return true
+  }
 
   return normalizedRoleCodes(user).some((roleCode) => CLAIM_LEADER_APPROVAL_ROLE_CODES.has(roleCode))
 }
@@ -86,6 +124,14 @@ export function canAccessAppView(user, viewId) {
     return false
   }
 
+  if (viewId === 'budget') {
+    if (isPlatformAdminUser(user)) {
+      return true
+    }
+    const roleCodes = normalizedRoleCodes(user)
+    return VIEW_ROLE_RULES.budget.some((roleCode) => roleCodes.includes(roleCode))
+  }
+
   if (isManagerUser(user)) {
     return true
   }